Updated Trickbot Deploys Fresh Reconnaissance ToolReport: Botnet Now Capable of Exfiltrating Additional Data From Networks
The operators behind the Trickbot malware are deploying a new reconnaissance tool dubbed "Masrv" to exfiltrate additional data from targeted networks, according to a Kryptos Logic report released this week.
The report notes that the Masrv tool incorporates an open-source network scanner called Masscan that can probe networks to target Microsoft Windows operating systems. The botnet operators then deploy two backdoors that can be used for additional data exfiltration and to maintain persistence within a compromised device or network.
Kryptos Logic notes the new malware components are an indication that Trickbot’s operators continued to invest in improving their toolkit despite the recent takedown of some of the cybercrime operation’s servers. It’s unclear when the latest campaign began, but researchers say attacks using the latest tool are ongoing (see: Analysis: Will Trickbot Takedown Impact Be Temporary?).
The report notes attackers use one of two versions of the Masrv scanner depending on which version of Windows the targeted victim is using. Once the malware has scanned the network, it then communicates with the main command-and-control server and transmits details such as the frequency of the scan and when the scan is complete.
Once those tasks are complete, Trickbot can then deploy additional malware to the compromised network, the Kryptos Logic report notes.
This additional malware includes a backdoor called Anchor, which the operators of Trickbot have been using since 2019 as a way to communicate with a command-and-control server. This malware enables malicious traffic to blend in with normal traffic by using DNS tunneling techniques (see: US Hospitals Warned of Fresh Wave of Ransomware Attacks).
The other malware that the Kryptos Logic team found - Bazar - is another backdoor that allows the botnet to maintain persistence within the compromised network (see: Phishing Campaign Tied to Trickbot Gang).
In October 2020, Microsoft led a coalition of security researchers and U.S. federal agencies in an effort to disrupt Trickbot's operations and dismantle its infrastructure. Although the effort was initially successful at taking down the botnet, analysts warned that its operators would likely rebuild its malicious network (see: Trickbot Rebounds After 'Takedown').
On Jan. 29, another report by Menlo Security revealed that Trickbot was still active and was targeting insurance companies and legal firms in North America (see: Is Trickbot Botnet Making a Comeback?).
Brandon Hoffman, CISO at security firm Netenrich, notes that malware authors are often able to revive their tools even when the infrastructure that supports them is shut down.
"With the people who wrote the code and set up that infrastructure still at large, these adversaries retain access to the code and the knowledge of how to repeat it. Having a new version emerge is almost expected," Hoffman says. "This can also be seen as the expected foreshadowing of an emergence of a new version of Emotet in the future. If that happens, it will follow the same pattern we have seen over the years."
Earlier this month, Europol led several international law enforcement agencies in an effort to dismantle the infrastructure that supported the Emotet botnet, which has been associated with Trickbot.
Trickbot first appeared as a banking Trojan in 2016, but it evolved into a botnet that could deliver other malicious code, such as ransomware. Before the Microsoft takedown in October 2020, the botnet was closely associated with Ryuk ransomware.
A month after Microsoft and others announced the Trickbot takedown, security firms began noticing new signs of life associated with the botnet. Security firm Bitdefender, for example, published a report that found Trickbot had rolled out an updated version of the botnet that made the malware more difficult to kill (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').